Database management systems are very efficient at storing large amounts of data; however, the data on these systems can be open to compromise or corruption by the database storage administrator or others gaining access to the system, either by accident or otherwise.
In this discussion of the background of the invention, and in the description of the invention that follows in later sections of this description reference will be made to a number of drawings of which the following is:
It has been desirable to develop a system for management of application access control information where the access to a data element in storage in the database system cannot be compromised by the actions of the database storage administrator, and where no persistent storage is required on the application server in order to maintain trust in integrity of the data, and in enforcement of access control to the data.
A common implementation of a computing service relies on the availability of two entities: an Application Server, which is responsible for executing application logic of an application being used; and a Database Server, which is responsible for persistent storage of data. FIG. 1 illustrates one version of such a system with two application servers 1, 2, and a database server 3.
FIG. 2 illustrates a slightly more complex data processing environment such as found in network computing using a 3 tier architecture using a browser client 8, which may be employed by a user to gain access to store, update or retrieve data, through an Information Processing network 6, to application web server 4 to access database server 3 which can access the data.
Frequently one of the responsibilities of the application server is to enforce access control to the data or the services that it manages. This is commonly accomplished by the use of Access Control Lists (ACLs). An access control list (ACL) is associated with the secure item (the protected data), and contains the list of authorized entities (e.g. people, organizations, or applications), as well as each entity's permission for access to the item. It is very convenient to store the access control list on the database server, so that application data, as well as the corresponding access control information are managed by the same database store.
One of the aspects of this invention addresses the area of trust between an application server and a database server to which it has access. In prior art known systems the end users of a data processing system trust both the application server and the database server to have access to their data.
However, where multiple applications may access a database server, a user may only trust the application that the user is accessing rather than any other application that uses the same database server. In these situations it is important to ensure that the following objectives are met:    1. The database server administrator cannot understand the information that it stores;    2. The database server administrator cannot modify the information that it stores; and,    3. The database server administrator cannot modify the access permissions to the information that it stores.
The present invention describes a system to satisfy the above requirements so that even a multi-tier system can use a database server for persistent data management, without requiring the database store to be trusted with the contents of the data nor access to the data.